Report Summary
Social Security Administration Office of the Inspector General

September 2009

Follow-up: The Social Security Administration’s Computer Security Program Compliance
(A-14-09-19048)

Objective

Our objective was to determine whether the Social Security Administration (SSA) had implemented the recommendations in our June 2001 report, Compliance of the Social Security Administration’s Computer Security Program with Applicable Laws and Regulations
(A-13-98-12044).

Background

Our June 2001 report stated that SSA lacked a strong framework for overall security administration, policy development, and policy implementation. We made five recommendations, which included that SSA: (1) Centralize its systems security management structure to comply with applicable laws; and (2) Develop a more inclusive system security plan for the mainframe and distributed computing environments.

SSA considered each of the five prior recommendations to be implemented and closed. Our follow-up review determined that SSA had implemented Recommendations 2 and 4. However, SSA had not fully addressed Recommendations 1, 3 and 5. Despite SSA’s efforts to address these recommendations, our current review found that:

SSA continued to have a decentralized/fragmented information security management structure;

the Office of the Chief Information Officer did not have sufficient delegated authority and resources to carry out its responsibilities for SSA’s information security program;

SSA had not sufficiently documented its policy and procedures to ensure all systems users receive timely notification of imminent security incidents; and